I have set up a honeypot in one of our segments. When someone logs into it, it logs the credentials into a log file. Using filebeat, I ship the new entries from the log to the elastic stack which looks like that on the dashboard.
Since I was given a 0 budget, is there a way to have the elastic stack send an email when that dashboard gets a new entry within the free tier? If not, is there a way to have the Linux OS send a notification when the log file gets a new entry with something like Postfix or Sendmail?
Setup a script to run in the background that queries Elasticsearch (there is a ES Python client that is easy to use) and sends an email when the number of documents in your filebeat indices has increased from the last query.
I've ended up adding the following to my logstash config:
# If our honeypot (called cowrie) gets someone, send me an email
if [log][file][path] =~ "cowrie.json" {
if [message] =~ "^New connection" {
email {
from => 'honeypot-entries@companyname-elk.net'
to => 'john@companyname.net'
subject => 'Honeypot Alert'
body => "Someone interacted with the honeypot!\nDetails: %{message}\nClick here to view the dashboard."
domain => 'mail.company.net'
port => 25
}
}
}
It works perfectly, now my only problem is settings up the body of the email. I can't seem to create hyperlinks like this. I was suggested to use htmlbody instead of html but I wasn't able to find how to set a new line since variables are defined in one line.
Basically, all I'm trying to achieve is an email that would look like this:
New honeypot entry!
*details*
for successful and failed logins dashboard, click here <- clickable
for command history logins, click here <- clickable
for "suspicious activity" dashboard, click here <- clickable
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
